The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

There's a problem with the links in the print version of this article. The links seem to have http://www.sitepoint.com/" tacked onto the beginning of the URL and /" tacked onto the end.
For example, http://www.sitepoint.com/"http://www.w3clubs.com/sp/ajax/httprequest_example.html/"

The only thing I don't like is the extent to which javascript is used. Again we are falling back to limited browser support and cross browser compatibility. It seems like a nice new thing but it just doesn't appeal to me.

Ken, I came to the conclusion that support for 99%+ of my users was enough for me (judging from the list of supported browsers here: http://en.wikipedia.org/wiki/Ajax_%28programming%29 ). And that's gathered from the stats of a site that caters to a fairly low-tech group of people (sports coaches, many using school machines).

For me, the benefits outweigh the risks, which are only decreasing as time goes on, browsers progress, and computers are upgraded. It seems that AJAX is here to stay as the de facto remote scripting standard.

I found it interesting how your code got more, rather than less, complicated as the article progressed. Less code is always better! There's absolutely no reason to use complex DOM manipulation code when innerHTML can achieve exactly the same result. Likewise, why send XML with repsponseXML when plain responseText is good enough?

If you want an academic excuse for using innerHTML when it isn't part of a W3C standard (even though every browser under the sun supports it), here's the one I use: A web browser's principle activity is taking strings of HTML and turning them in to DOM trees. It's utterly ludicrous for that basic ability not to be exposed to developers. innerHTML exposes it.

I've just figured out what it is that made me so uncomfortable about this idea: it's a CSRF (Cross Site Request Forgery) attack waiting to happen.

Let's say you do set up the script without the in_array check behind an authentication system (cookies, sessions or HTTP auth). I can still delete everything on your site. All I have to do is guess the location of your exec.php script and create a page on my own site (or a public forum or what have you) containing the following HTML:

<img src="http://yoursite.com/exec.php?command=rm -rf /">

If I can trick you in to visiting that page while your browser is logged in to your command application I can delete every writable file on your server!

Defending against this attack is surprisingly tricky - just using POST instead of GET (which you should be doing anyway for an application that causes changes to the state of the data on your server) isn't enough. You need some kind of token based scheme that confirms that the GET or POST request to your PHP script originated with your Ajax code. A referral check will just about do the job, but a token scheme is far more robust.

I seem to be getting the following error message when I attempting to run the XML version of this script. (Yes, the exec_xml.php script does return the correct XML file data and in the correct format).

Error: xmldoc.getElementsByTagName("command").item[0] has no properties

Ok I spent a good hour on this problem and I think the solution I found also applies to Tryst's problem.

I wanted to send back data to my browser using the xml method and the documentElement would be null everytime, but when I tried to alert the response in text mode then I could see the xml no problem and I also validated it and it was valid.

So after alot of looking around I came to the conclusiont that if you xml is indented in any way then it won't get DOMed properly at all.

So I eliminated all the \n and all the tabs I had and just made it a 1 line string. This worked and I could then target my elements again with no problems.

I was looking if there's a function to ignore spaces...I guess there isn't?

Oh what I wanted to say....Yes I'm a newbie because this is the first time I'm using AJAX but not 1 article mentioned that this would be a problem and all articles format their xml documents with spaces and indents. So maybe I'm missing something? Also I was using HEREDOC to echo the xml, maybe it doesn't like that?

I found it interesting how your code got more, rather than less, complicated as the article progressed. Less code is always better! There's absolutely no reason to use complex DOM manipulation code when innerHTML can achieve exactly the same result. Likewise, why send XML with repsponseXML when plain responseText is good enough?

If you want an academic excuse for using innerHTML when it isn't part of a W3C standard (even though every browser under the sun supports it), here's the one I use: A web browser's principle activity is taking strings of HTML and turning them in to DOM trees. It's utterly ludicrous for that basic ability not to be exposed to developers. innerHTML exposes it.

I agree that innerHTML is a great thing to have around, and I do make use of it fairly often - usually to put simple strings into elements though, and not for structure building.

With a little judicious coding it is possible to construct full DOM element hierarchies without using innerHTML, and with very compact and neat code. I find it much tidier than using innerHTML, and not a great deal more verbose. It's just a matter of how you tackle the problem.

Great Article! I would love to see a more detailed XML example where an XML file with a similar structure to:
<?xml version="1.0" ?>
<root>
<item>
<title>A title</title>
<text>A paragraph or more of text here...</text>
</item>
<item>
<title>A title</title>
<text>A paragraph or more of text here...</text>
</item>
</root>

where you could have from 1 to n items and how best to navigate through the nested XML elements.

Also, I'm not quite sure what the purpose or function of the item(0) in the